Extracted

• • Target

    XClient.exe

  • Size

    37KB

  • MD5

    d837db914680e0e91ee392cf2b3f3d2b

  • SHA1

    30f2fc5f58250895f74969d1a7c932f68efcd9af

  • SHA256

    2835c974cc09bb061c2737418d331ca8a338936f7d986ce848396c78b35845be

  • SHA512

    aff4c2cafa23813d5c16ccd8baa8247697cc444c3642140610113f7e4854c083fad514ef3a6441b1fb3075e819af8599d1c5f5b3725c89521045f55598ebcd7b

  • SSDEEP

    768:xz5lT+Q2PeKmxzHAXFyK9Oi26YOjhDPygM:xz512PGLuF39726YOj9u

  Score

  10^/10

  neshtaxwormexecutionpersistenceratspywarestealertrojan

  • Detect Neshta payload

  • Detect Xworm Payload

  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    persistencespywareneshta

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Executes dropped EXE

  • Loads dropped DLL

  • Modifies system executable filetype association

    persistence

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  behavioral1behavioral2